v4.2.0

Changed

• RTC 536078 - Added package list option to inbc, cloud, and internal manifest. This allows SOTA to run an install/upgrade command on a set of individual packages rather than all installed packages.

Added

• RTC 536601 - Added 'source' command to INBM. This command manages /etc/apt/sources.list and /etc/apt/sources.list.d/* and associated gpg keys on Ubuntu.
• RTC 537769 - Added verification of GPG key URIs against a list of trusted repositories for enhanced security

check if sourceApplication Gpg key URL is in trusted repo

Fixed

• RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
• RTC 523677 - Improve INBC error logging - invalid child tag not printed
• RTC 522583 - Fix missing SOTA logs
• RTC 534998 - Fix SOTA failure due to snapshot error
• Fixed some mismatched types in abstract classes vs subtypes in dispatcher agent
• Fixed some container mode issues

Security

• RTC 533615 - Validate GUID format in manifest using XML schema.

•          Ensure the GUID in the manifest if provided matches one of the GUIDs on the system before performing a FOTA.
  

• dependabot: update golang.org/x/net from 0.14.0 to 0.17.0 in /inbm/trtl (addresses CVE-2023-39325, CVE-2023-44487)
• update pypi urllib3 from 1.26.17 to 1.26.18 (addresses CVE-2023-45803 in urllib3)
• dependabot: bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible in /inbm/trtl (addresses GHSA-jq35-85cj-fj4p)
• update included reference certifi source code from 2020.12.05 to 2023.7.22, which was not a security issue per se but was flagged in BDBA as it contains CVE-2022-23491 and CVE-2023-37920
• dependabot: Bump pyinstaller from 5.13.0 to 5.13.1 in all agents/programs (addresses CVE-2023-49797)
• RTC 536046 - Add a workflow to perform signature checks for AOTA packages if user enrolled a key during provisioning